- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Fri, 18 Jan 2019 19:00:36 +0000
- To: public-webauthn@w3.org
The following commits were just pushed by emlun to https://github.com/w3c/webauthn: * Determine appid extension output after authenticator returns This fixes the following corner case: 1. The user has a U2F authenticator A plugged in, which has been registered via the U2F API (i.e., with AppID). 2. The user has a CTAP2 authenticator B plugged in, which has been registered via the WebAuthn API (i.e., with RP ID). 3. The user initiates an authentication ceremony and the RP sets the `appid` extension. 4. The client runs the above client processing and discovers that authenticator A does not contain a credential for the RP ID, and retries with the AppID. This succeeds, and the client sets the extension's _output_ to `true`. 5. The client initiates authentication requests with both authenticator A and B, which both prompt the user for consent. 6. The user confirms user consent on authenticator B, which generates an assertion for the RP ID. 7. The client returns the assertion for the RP ID and the `appid` client extension output set to `true`. So it was possible for the extension output to end up being `true` even though the RP should verify the assertion using the RP ID and not the AppID. by Emil Lundberg https://github.com/w3c/webauthn/commit/776b7b14d6e8f64b101db7e92318c877c588e861
Received on Friday, 18 January 2019 19:00:37 UTC